Gmail sending out warnings for 512 bit DKIM keys

As an update to yesterday’s post, Gmail is contacting postmasters at domains signing with 512 bit keys to warn them of the upcoming changes. This message also clarifies “DKIM keys failing.” Messages signed with 512 bit keys or less will be treated as unsigned by Gmail in the next week or so.

Hello,

We noticed that your domain is sending email to Gmail users that is DKIM signed with a 512-bit RSA key. RFC 6376 requires DKIM signing mail using RSA keys of at least 1024-bits for long-lived keys (https://tools.ietf.org/html/rfc6376#section-3.3.3). Shorter keys could be factored by an attacker. As you may know, this attack has been publicly reported. US-CERT has also issued an advisory to upgrade all keys lower than 1024-bits (http://www.kb.cert.org/vuls/id/268267).

As such, we strongly encourage you to upgrade your RSA keys to be at least 1024-bits long.

To best protect our users, Gmail will begin treating emails signed with 512-bit keys as unsigned in about a week. If you continue to use your current key, your messages will not DKIM authenticate.

Affected key:
example._domainkey.example.com descriptive text “k=rsa; p=AKDA3adkelLHaK653IuYD aVgIFc/FBvErvNOkCAwEAAQ==;”

Thank you,
Gmail Team

Is Google failing DKIM keys shorter than 512 bits?
Return Path announces new abuse prevention service

Related Posts

ESPs, Non-portable Reputation and Vendor Lock-in

I’ve seen some mentions recently of ESPs suggesting that if you use your own domain in the From: of mail you send through an ESP then that ESP can’t “do email authentication” properly unless they require you to edit your domains DNS settings. That’s not really so, but there is a kernel of truth in there.
The real situation is, unsurprisingly, a bit more complicated.
What authentication features should you look for in an ESP?

Read More

DKIM implementation survey: prelim results

First off, I want to thank everyone who participated in the DKIM implementation survey. This week has been pretty hectic so far, so I haven’t had a chance to actually dig down into the data from the survey, but I thought I’d post some preliminary results.
The ESP survey had 45 respondents. 30% of those sent more than 15 million emails a month.
Of all the respondents: 40% are signing with Domain Keys, 51.1% are signing with DKIM.
Of all respondents: 79.5% are signing with Domain Keys and 78.8% are signing with DKIM to access services (whitelists or FBLs) provided by the ISPs.
50% of those not signing with Domain Keys are not doing so because customers have not requested it.  61% of those not signing with DKIM are not doing it because of technical difficulties with deployment.
The ISP survey had 16 respondents, with 37.5% handling less than 500,000 mailboxes and 18.8% handling more than 15 million mailboxes. 75% of respondents said they are not checking Domain Keys on inbound mail. 56% said they are not currently checking DKIM on inbound mail.
Only 10 ISPs answered the question if they plan to check either Domain Keys or DKIM.

Read More

Is Google failing DKIM keys shorter than 512 bits?

Today’s Wednesday question comes from Andrew B. and got pushed to Thursday so I could check a few more facts.

Read More